From 77c4d3972400adf1bcb76ceea359f5453cc3e8e4 Mon Sep 17 00:00:00 2001 From: Kurt Roeckx Date: Thu, 2 Jan 2020 23:16:30 +0100 Subject: [PATCH] Generate new Ed488 certificates Create a whole chain of Ed488 certificates so that we can use it at security level 4 (192 bit). We had an 2048 bit RSA (112 bit, level 2) root sign the Ed488 certificate using SHA256 (128 bit, level 3). Reviewed-by: Matt Caswell GH: #10785 --- test/certs/root-ed448-cert.pem | 10 ++++++++++ test/certs/root-ed448-key.pem | 4 ++++ test/certs/server-ed448-cert.pem | 21 +++++++++------------ test/certs/setup.sh | 5 +++++ test/ssl-tests/20-cert-select.conf | 8 ++++---- test/ssl-tests/20-cert-select.conf.in | 5 ++++- test/ssl-tests/28-seclevel.conf | 4 ++-- test/ssl-tests/28-seclevel.conf.in | 4 ++-- 8 files changed, 40 insertions(+), 21 deletions(-) create mode 100644 test/certs/root-ed448-cert.pem create mode 100644 test/certs/root-ed448-key.pem diff --git a/test/certs/root-ed448-cert.pem b/test/certs/root-ed448-cert.pem new file mode 100644 index 0000000000..48e293d69d --- /dev/null +++ b/test/certs/root-ed448-cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBeDCB+aADAgECAgEBMAUGAytlcTAVMRMwEQYDVQQDDApSb290IEVkNDQ4MCAX +DTIwMDIwOTEzMjY1NVoYDzIxMjAwMjEwMTMyNjU1WjAVMRMwEQYDVQQDDApSb290 +IEVkNDQ4MEMwBQYDK2VxAzoAbbhuwNA/rdlgdLSyTJ6WaCVNO1gzccKiKW6pCADM +McMBCNiQqWSt4EIbHpqDc+eWoiKbG6t7tjUAo1MwUTAdBgNVHQ4EFgQUVg2aQ+yh +VRhOuW1l19jtgxfTgj8wHwYDVR0jBBgwFoAUVg2aQ+yhVRhOuW1l19jtgxfTgj8w +DwYDVR0TAQH/BAUwAwEB/zAFBgMrZXEDcwCiXlZXyMubWFqLYiLXfKYrurajBMON +lclLrYr57Syd+nAIlgXiF0rGK2PawoMPXVB3VWWSigEb54AImb6tsW42gC+zC6oq +nkPC2FTLXPvqqgGXUpK/OfhPUP9bWw6mcJaIozlyzJD4AyebN9LDrBqCMwA= +-----END CERTIFICATE----- diff --git a/test/certs/root-ed448-key.pem b/test/certs/root-ed448-key.pem new file mode 100644 index 0000000000..e0c36ff43a --- /dev/null +++ b/test/certs/root-ed448-key.pem @@ -0,0 +1,4 @@ +-----BEGIN PRIVATE KEY----- +MEcCAQAwBQYDK2VxBDsEOQeryQn6L8gItRarrM0pRHxjNdtaIz3BrWU2mwhLZQaq +8Cm6w5gP6aitAIde7Td3nQ55bIGC5roxFQ== +-----END PRIVATE KEY----- diff --git a/test/certs/server-ed448-cert.pem b/test/certs/server-ed448-cert.pem index 740f275549..ba050077c3 100644 --- a/test/certs/server-ed448-cert.pem +++ b/test/certs/server-ed448-cert.pem @@ -1,14 +1,11 @@ -----BEGIN CERTIFICATE----- -MIICHTCCAQWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE4MDIyNzE1MDcxM1oYDzIxMTgwMjI4MTUwNzEzWjAQMQ4wDAYDVQQD -DAVFZDQ0ODBDMAUGAytlcQM6ABBicYlhG1s3AoG5BFmY3r50lJzjQoER4zwuieEe -QTvKxLEV06vGh79UWO6yQ5FxqmxvM1F/Xw7RAKNfMF0wHQYDVR0OBBYEFAwa1L4m -3pwA8+IEJ7K/4izrjJIHMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJ -MAkGA1UdEwQCMAAwEAYDVR0RBAkwB4IFRWQ0NDgwDQYJKoZIhvcNAQELBQADggEB -AAugH2aE6VvArnOVjKBtalqtHlx+NCC3+S65sdWc9A9sNgI1ZiN7dn76TKn5d0T7 -NqV8nY1rwQg6WPGrCD6Eh63qhotytqYIxltppb4MOUJcz/Zf0ZwhB5bUfwNB//Ih -5aZT86FpXVuyMnwUTWPcISJqpZiBv95yzZFMpniHFvecvV445ly4TFW5y6VURh40 -Tg4tMgjPTE7ADw+dX4FvnTWY3blxT1GzGxGvqWW4HgP8dOETnjmAwCzN0nUVmH9s -7ybHORcSljcpe0XH6L/K7mbI+r8mVLsAoIzUeDwUdKKJZ2uGEtdhQDmJBp4EjOXE -3qIn3wEQQ6ax4NIwkZihdLI= +MIIBlTCCARWgAwIBAgIBAjAFBgMrZXEwFTETMBEGA1UEAwwKUm9vdCBFZDQ0ODAg +Fw0yMDAyMDkxMzMwMjJaGA8yMTIwMDIxMDEzMzAyMlowEDEOMAwGA1UEAwwFZWQ0 +NDgwQzAFBgMrZXEDOgAQYnGJYRtbNwKBuQRZmN6+dJSc40KBEeM8LonhHkE7ysSx +FdOrxoe/VFjuskORcapsbzNRf18O0QCjdDByMB0GA1UdDgQWBBQMGtS+Jt6cAPPi +BCeyv+Is64ySBzAfBgNVHSMEGDAWgBRWDZpD7KFVGE65bWXX2O2DF9OCPzAJBgNV +HRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBAGA1UdEQQJMAeCBWVkNDQ4MAUG +AytlcQNzABLGZiaU6JPKa9eQ/VsE4HN9XjSogZBKIEHEWwyxrtGvjWiZ5MOnNJmQ +7mX+Y2eJzfZ6MGHc63IlgPdIPFPzInnnAugw297kUNoLTg9SsGYeVGLbI3PNjwFL +mQ3508f1Jobb8qZnf8YFUZrd85aurgoKAA== -----END CERTIFICATE----- diff --git a/test/certs/setup.sh b/test/certs/setup.sh index bd0b663944..d58d0d789b 100755 --- a/test/certs/setup.sh +++ b/test/certs/setup.sh @@ -378,3 +378,8 @@ openssl req -new -nodes -subj "/CN=localhost" \ # CT entry ./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key + +OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genroot "Root Ed448" \ + root-ed448-key root-ed448-cert +OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ + server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert diff --git a/test/ssl-tests/20-cert-select.conf b/test/ssl-tests/20-cert-select.conf index 93f3a1ff68..757b973e57 100644 --- a/test/ssl-tests/20-cert-select.conf +++ b/test/ssl-tests/20-cert-select.conf @@ -216,9 +216,9 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [4-Ed448 CipherString and Signature Algorithm Selection-client] CipherString = aECDSA MaxProtocol = TLSv1.2 -RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem +RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem SignatureAlgorithms = ed448:ECDSA+SHA256 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-4] @@ -421,7 +421,7 @@ CipherString = aECDSA Curves = X448 MaxProtocol = TLSv1.2 SignatureAlgorithms = ECDSA+SHA256:ed448 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-10] @@ -1454,7 +1454,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [44-TLS 1.3 Ed448 Signature Algorithm Selection-client] CipherString = DEFAULT SignatureAlgorithms = ed448 -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-44] diff --git a/test/ssl-tests/20-cert-select.conf.in b/test/ssl-tests/20-cert-select.conf.in index 5e9bfede5d..24093548cd 100644 --- a/test/ssl-tests/20-cert-select.conf.in +++ b/test/ssl-tests/20-cert-select.conf.in @@ -134,7 +134,8 @@ our @tests = ( "CipherString" => "aECDSA", "MaxProtocol" => "TLSv1.2", "SignatureAlgorithms" => "ed448:ECDSA+SHA256", - "RequestCAFile" => test_pem("root-cert.pem"), + "RequestCAFile" => test_pem("root-ed448-cert.pem"), + "VerifyCAFile" => test_pem("root-ed448-cert.pem"), }, test => { "ExpectedServerCertType" =>, "Ed448", @@ -231,6 +232,7 @@ our @tests = ( "CipherString" => "aECDSA", "MaxProtocol" => "TLSv1.2", "SignatureAlgorithms" => "ECDSA+SHA256:ed448", + "VerifyCAFile" => test_pem("root-ed448-cert.pem"), # Excluding P-256 from the supported curves list means server # certificate should be Ed25519 and not P-256 "Curves" => "X448" @@ -727,6 +729,7 @@ my @tests_tls_1_3 = ( server => $server_tls_1_3, client => { "SignatureAlgorithms" => "ed448", + "VerifyCAFile" => test_pem("root-ed448-cert.pem"), }, test => { "ExpectedServerCertType" => "Ed448", diff --git a/test/ssl-tests/28-seclevel.conf b/test/ssl-tests/28-seclevel.conf index f863f68b08..04a0c4fbd5 100644 --- a/test/ssl-tests/28-seclevel.conf +++ b/test/ssl-tests/28-seclevel.conf @@ -45,7 +45,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem [1-SECLEVEL 3 with ED448 key-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-1] @@ -93,7 +93,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ed448-key.pem [3-SECLEVEL 3 with ED448 key, TLSv1.2-client] CipherString = DEFAULT -VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/root-ed448-cert.pem VerifyMode = Peer [test-3] diff --git a/test/ssl-tests/28-seclevel.conf.in b/test/ssl-tests/28-seclevel.conf.in index 9d400a45ed..f2cdc477ba 100644 --- a/test/ssl-tests/28-seclevel.conf.in +++ b/test/ssl-tests/28-seclevel.conf.in @@ -27,7 +27,7 @@ our @tests_ec = ( server => { "CipherString" => "DEFAULT:\@SECLEVEL=3", "Certificate" => test_pem("server-ed448-cert.pem"), "PrivateKey" => test_pem("server-ed448-key.pem") }, - client => { }, + client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, test => { "ExpectedResult" => "Success" }, }, { @@ -49,7 +49,7 @@ our @tests_tls1_2 = ( "Certificate" => test_pem("server-ed448-cert.pem"), "PrivateKey" => test_pem("server-ed448-key.pem"), "MaxProtocol" => "TLSv1.2" }, - client => { }, + client => { "VerifyCAFile" => test_pem("root-ed448-cert.pem") }, test => { "ExpectedResult" => "Success" }, }, ); -- 2.25.1